search

forderud / IntelliMouseDriver

Filter drivers for Microsoft Pro IntelliMouse that implements safety checks and exposes a WMI interface
MIT License
1 stars 1 forks source link

Investigate WMI WMIInterface security descriptor #27

Closed forderud closed 1 year ago

forderud commented 1 year ago

Registry folder with WMI class security: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security

WMI classes with default security doesn't seem to be listed.

image

Feedback Hub report on leaking security descriptors after driver uninstall: https://aka.ms/AAmidja

Current security

Registry dump:

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security
Class Name:        <NO CLASS>
Last Write Time:   9/2/2023 - 5:38 AM

...

Value 520
  Name:            07982702-2086-4b83-9444-34989bb10554
  Type:            REG_BINARY
  Data:            
00000000   01 00 04 80 5c 00 00 00 - 6c 00 00 00 00 00 00 00  ....\...l.......
00000010   14 00 00 00 02 00 48 00 - 03 00 00 00 00 00 18 00  ......H.........
00000020   ff 0f 12 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ÿ........... ...
00000030   20 02 00 00 00 00 14 00 - 01 00 00 00 01 01 00 00   ...............
00000040   00 00 00 01 00 00 00 00 - 00 00 14 00 ff 0f 12 00  ............ÿ...
00000050   01 01 00 00 00 00 00 05 - 12 00 00 00 01 02 00 00  ................
00000060   00 00 00 05 20 00 00 00 - 20 02 00 00 01 02 00 00  .... ... .......
00000070   00 00 00 05 20 00 00 00 - 20 02 00 00              .... ... ...

This perfectly matches the security descriptor specified in the INF/INX file. Proof:

    PSECURITY_DESCRIPTOR sd = nullptr;
    ULONG sd_size = 0;
    ConvertStringSecurityDescriptorToSecurityDescriptorA("O:BAG:BAD:(A;;0x120fff;;;BA)(A;;CC;;;WD)(A;;0x120fff;;;SY)", SDDL_REVISION_1, &sd, &sd_size);
    std::vector<BYTE> sd_vec(sd_size, 0);
    memcpy(sd_vec.data(), sd, sd_size);

sd_vec content:

01 00 04 80 5c 00 00 00 - 6c 00 00 00 00 00 00 00
14 00 00 00 02 00 48 00 - 03 00 00 00 00 00 18 00
ff 0f 12 00 01 02 00 00 - 00 00 00 05 20 00 00 00
20 02 00 00 00 00 14 00 - 01 00 00 00 01 01 00 00
00 00 00 01 00 00 00 00 - 00 00 14 00 ff 0f 12 00
01 01 00 00 00 00 00 05 - 12 00 00 00 01 02 00 00
00 00 00 05 20 00 00 00 - 20 02 00 00 01 02 00 00
00 00 00 05 20 00 00 00 - 20 02 00 00

wmi_security.reg.txt

forderud commented 1 year ago

Completed in 4d6c04553648e11ed11b8553858a004713a16af0